InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Researchers from vx-underground reported that FBI hacker âUSDoDâ leaked sensitive data from consumer credit reporting agency TransUnion.
TransUnion is an American consumer credit reporting agency. TransUnion collects and aggregates information on over one billion individual consumers in over thirty countries, including â200 million files profiling nearly every credit-active consumer in the United Statesâ.
A threat actor who goes by the moniker âUSDoDâ announced the leak of highly sensitive data allegedly stolen from the credit reporting agency. The leaked database, over 3GB in size, contains sensitive PII of about 58,505 people, all across the globe, including the America and Europe
According to researchers vx-underground who reported the leak, the archive contains data that dates back to March 2nd, 2022, which could be the data of the data breach.
This leaked database has information on individuals all across the globe including the Americas (North and South), as well as Europe
vx-underground states that leaked data includes individual first name, last name, Internal TransUnion identifiers, sex, passport information, place of birth, date of birth, civil status, age, current employer, information on their employer, a summary of financial transactions, credit score, loans in their name, remaining balances on the loans, where they got the loan from, when TransUnion first began monitoring their information.
Today a Threat Actor named "USDoD" leaked sensitive data from TransUnion. This won't be the last of "USDoD" today though. He also compromised NATO. We'll discuss that later. But first, TransUnion.
The leaked database, over 3GB in size, contains highly sensitive PII on 58,505⊠pic.twitter.com/RtCvsUVWrT
The name USDoD is well known in the cyber security sector, it was also listed in the indictment for the notorious owner of the BreachForums cybercrime forum Pompompurin. vx-underground pointed out that they are believed to be behind many other high-profile security breaches.
Recently, The multinational aerospace corporation Airbus announced that it is investigating a data leak after cybersecurity firm Hudson Rock reported that a hacker posted information on thousands of the companyâs vendors to the dark web.
âUSDoDâ announced he had gained access to an Airbus web portal by compromising the account of a Turkish airline employee.
The hacker claimed to have details on thousands of Airbus vendors. The threat actors obtained the personal information of 3,200 individuals associated with Airbus vendors, exposed data include names, job titles, addresses, email addresses, and phone numbers.
In December 2022, the FBIâs InfraGard US Critical Infrastructure Intelligence portal was hacked and a database containing the contact details of more than 80,000 high-profile private sector individuals was offered for sale by USDoD on the Breached cybercrime forum.
After the law enforcement shutdown of âBreachedâ forum, its members, including âUSDoD,â moved to other platforms such as âBreachForums.â
âUSDoDâ posted two threads on this new forum, one to announce they have joined the notorious ransomware group Ransomed. In the second threat, the hacker exposed the personal information of 3,200 sensitive Airbus vendors. USDoD also warned that Lockheed Martin and Raytheon might be the next targets.
âThreat actors typically refrain from revealing their intrusion techniques, however in this exceptionally rare leak, âUSDoDâ revealed they gained access to Airbusâs data by exploiting âemployee access from a Turkish Airlineâ.â reported Hudson Rock. âUsing this information, Hudson Rock researchers succeeded to trace the mentioned employee access â a Turkish computer infected with an info-stealing malware in August 2023.â
According to the researchers, the computer of the victim was likely infected with the RedLine stealer after he attempted to download a pirated version of the Microsoft .NET framework.
Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
MVT supports using public indicators of compromise (IOCs) to scan mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. MVT is not intended for end-user self-assessment.
It was developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus Project, along with a technical forensic methodology. It continues to be maintained by Amnesty International and other contributors.
Mobile Verification Toolkit key features
MVTâs capabilities are continuously evolving, but some of its key features include:
Decrypt encrypted iOS backups.
Process and parse records from numerous iOS system and apps databases, logs, and system analytics.
Extract installed applications from Android devices.
Extract diagnostic information from Android devices through the adb protocol.
Compare extracted records to a provided list of malicious indicators in STIX2 format.
Generate JSON logs of extracted records and separate JSON logs of all detected malicious traces.
Generate a unified chronological timeline of extracted records, along with a timeline of all detected malicious traces.
Mobile Verification Toolkit is available for download on GitHub. The developers do not want MVT to enable privacy violations of non-consenting individuals. To achieve this, MVT is released under its license.
Researchers find a GitHub repository belonging to Microsoft’s AI research unit that exposed 38TB of sensitive data, including secret keys and Teams chat logs â Microsoft AI researchers accidentally exposed tens of terabytes of sensitive data, including private keys and passwords âŠ
The need for cybersecurity professionals is at an all-time high in our rapidly evolving digital landscape. As cyber threats continue to advance and grow in frequency, businesses are showing a strong commitment to safeguarding their valuable data and networks, resulting in a significant rise in job openings within the cybersecurity field, some of which come with attractive compensation packages. In this article, author delve into the ten highest-paying positions within the cybersecurity sector, shedding light on the specific roles, duties, and salary brackets linked to each role.
Retool, the company behind the popular development platform for building internal business software, has suffered a breach that allowed attackers to access and take over accounts of 27 cloud customers, all in the crypto industry.
According to a CoinDesk report, one the known victims is Fortress Trust, i.e., four of its customers who accessed their crypto funds via a portal built by Retool.
It all started with an SMS
The attack started with spear phishing text messages delivered to a number of Retool employees. According to the company, only one fell for the scheme.
The phishing text message. (Source: Retool)
Spoofed to look like it was coming from the companyâs IT department, the goal was to make the targets log in to a fake Retool identity portal, at which point they would receive a phone call by the attacker.
âThe caller claimed to be one of the members of the IT team, and deepfaked our employeeâs actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code,â Snir Kodesh, Retoolâs head of engineering, shared on Wednesday.
âThe additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employeeâs Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite [i.e., Google Workspace] session on that device.â
And because the employeeâs MFA codes were synched with their Google account, the attacker now had access to all MFA tokens held within that account.
âWith these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems. This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry),â Kodesh noted, and added that the attacker also poked around some of the Retool apps â but didnât specify which ones.
âWe have an internal Retool instance used to provide customer support; this is how the account takeovers were executed. The authentication for this instance happens through a VPN, SSO, and a final MFA system. A valid GSuite session alone would have been insufficient.â
Whoâs to blame?
âSocial engineering can affect anyone,â Kodesh noted, and âeven with perfect training and awareness of these attacks, mistakes will happen.â He also put some on the blame for the hack on Google.
âUnfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this âfeatureâ. If you want to disable it, there isnât a clear way to âdisable syncing to the cloudâ, instead there is just a âunlink Google accountâ option. In our corporate Google account, there is also no way for an administrator to centrally disable Google Authenticatorâs sync âfeatureâ,â he explained.
âThrough this Google update, what was previously multi-factor-authentication had silently (to administrators) become single single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator.â
Of course, Google cannot be blamed for this breach entirely â Retool should have regularly reviewed the protections theyâve put in place and evaluated whether they are still adequate. After all, attackers have been finding ways around multi-factor authentication for a while now, and the threat landscape is changing quickly.
If the company had used a FIDO2-compliant hardware security key instead of one-time passwords delivered via an authenticator app, this particular social engineering attack would have failed â as a similar attack against Cloudflare employees did a year ago.
The investigation is ongoing
Retool is working with law enforcement and a third party forensics firm to investigate the breach in depth.
So far, they found that 27 cloud customers have been affected (and they notified them all), but that on-premise Retool customers remain secure.
âRetool on-prem operates in a âzero trustâ environment, and doesnât trust Retool cloud. It is fully self contained, and loads nothing from the cloud environment. This meant that although an attacker had access to Retool cloud, there was nothing they could do to affect on-premise customers,â Kodesh noted.
Fortressâ customers, on the other hand, apparently lost nearly $15 million.
UPDATE (September 15, 2023, 04:35 a.m. ET):
âOur first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies,â Google stated.
âBeyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant. Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies. While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, weâll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.â
Email communication is still widely used as an attack vector despite the ever-changing nature of cyber threats.
The vast number of people who use it for communication daily, both professionally and personally, makes it a tempting target.
Cybercriminals are becoming more skilled at using malicious email campaigns in line with the growth of advanced technologies and increased security measures taken by businesses.
VIPRE Security found that 85.01% of phishing emails had harmful links inside the message body, and the volume of spam emails increased by 30.0% from the first to the second quarter of 2023.
In addition, phishing attacks against IT companies are now more common (14%) than against financial institutions (9%).
The Limitations of Traditional Spam Filters
Conventional spam filters rely on static rule-based systems with predetermined criteria or known dangerous signatures to identify emails as spam.
Their strict compliance with predetermined policies leaves companies vulnerable to ever-evolving cyberattacks. These filters rely too much on signature-based detection, making them vulnerable to zero-day threats and unable to protect against recent or modified malware.
They canât detect hidden risks like spear phishing since they donât have advanced behavioral analysis. In addition, it cannot examine potentially harmful information in isolation without sandboxing characteristics.
As a result, the ever-evolving and complicated nature of cyber threats makes their traditional approaches ineffective.
Next-Generation Email Firewalls are the latest technologies for protecting against malicious emails. To quickly prevent new threats, such as zero-day vulnerabilities, these systems interact with real-time threat intelligence feeds, unlike traditional spam filters, which depend primarily on static rules.
They scan things in-depth, including emails, embedded URLs, and attachments. Sandboxing is essential since it allows testing of potentially harmful information in a secure environment.
Advanced systems use machine learning and behavioral analytics to identify complex phishing attacks like this. These firewalls use authentication protocols like DMARC, DKIM, and SPF to prevent spoofing and verify email senders.
In addition, they have measures to prevent sensitive information from being accidentally leaked. These solutions, which are frequently cloud-native, provide a robust and complex approach to email security while scaling efficiently and integrating smoothly with existing security infrastructure.
How do Next-Gen Email Firewalls Protect Your Inbox?
Advanced Threat Intelligence â The use of real-time threat intelligence helps to identify and prevent emerging attacks, such as those that exploit zero-day flaws, as soon as they appear.
Deep Content Inspection â Rather than simply scanning the emailâs information, these firewalls read the message in full, including any embedded URLs or files attached, to discover any hidden risks.
Sandboxing â To prevent viruses and malware from reaching their intended recipients, suspicious attachments and URLs are displayed in a safe, isolated environment.
Behavioral Analytics â These firewalls may identify spear-phishing initiatives by learning the senderâs typical activity patterns and comparing them to suspicious emails that appear to be from the same sender but act differently.
Identity Verification â Using authentication methods like DMARC, DKIM, and SPF, these tools ensure that all email arrives genuine and from a known source, protecting users from spoofing and phishing attempts.
Data Loss Prevention (DLP) â Besides inbound threats, they monitor outgoing emails to prevent sensitive material from being transmitted without authorization or violating regulations.
Machine Learning â Many modern firewalls use machine learning to âlearnâ from the attacks they block and better detect various threats over time.
Next-Gen Email Firewalls vs. Traditional Email Security
Next-Gen Email Firewalls
Traditional email security
Quickly adapt to new threats by using real-time threat intelligence.
It uses a static collection of threats and patterns to make decisions.
Emails, URLs, and attachments are all placed through an extensive content analysis.
Metadata and simple patterns are the primary areas of security inspection.
Uses content isolation technologies (sandboxes) to investigate potentially harmful data.
Doesnât have a sandboxing environment.
Utilizes machine learning and behavioral analytics for real-time threat assessment.
Depending on predetermined guidelines rather than monitoring user activity
Designed specifically for use in the cloud, this safeguards the present remote workforces.
Less flexible with cloud integrations; works best in local installations.
The sophisticated analysis and learning capabilities have resulted in fewer false positives.
There is an increase in false positives because of the inflexibility of rule-based systems.
Countering Sophisticated Email Threats with Next-Gen Email Firewalls
The importance of Next-Generation Email Firewalls in preventing modern email threats cannot be underestimated.
These modern firewalls utilize real-time threat intelligence to detect and neutralize recent security risks instead of the static rules used by older systems.
They investigate thoroughly, looking at every aspect of the email, from the subject line to the attachments. Sandboxing is a technique to test malicious code in a safe, restricted setting.
Unusual behaviors, such as those used in spear phishing or impersonation, can be detected via machine learning.
In addition, email spoofing may be prevented using sender authentication methods such as DMARC, DKIM, and SPF.
By authenticating the senderâs identity and confirming the accuracy of the received messages, these procedures act as the first line of protection against email-based threats.
SPF aims to improve email security by limiting the possibility that an unauthorized sender
In DKIM, the transmitting server gives Each email a unique DKIM signature generated using a private key. The DNS records of the sender are queried to retrieve the senderâs public key, which is then used to validate the emailâs signature.
With DMARC, website administrators may specify how they want their domainâs incoming mail servers to deal with unencrypted messages that have not been authenticated. It has a policy and a statement, with three options (reject, quarantine, or do nothing).
Why Trustifi ? â AI-Powered Protection for Business Email Security
Next-generation email firewalls will benefit from quantum-resistant algorithms, IoT integration, and adaptive AI for threat prediction in the long run.
Trustifiâs advanced protection uses machine learning and AI to quickly find and stop the most sophisticated email-based attacks, such as ransomware, malware, phishing attacks (malicious links), CEO impersonation protection, BEC, and account compromise, keeping hackers out of inboxes with the following email threat protection solutions.
These firewalls will prioritize cross-platform connectivity, robust data protection measures, and real-time threat sharing in response to the constantly evolving nature of cyber threats.
Instead of hiring full time CISO, many organizations are hiring vCISO on subscription basis or on a retainer to gain access to expert cyber security advice in form of a virtual CISO when required. vCISO offer C level strategic assistance and tactical level guidance in devising and implementing strategy to build a security program, to assess security program, to reduce risk and to prevent or mitigate the impact of the attacks.
What may be the primary concern for an organization to seek vCISO services: The primary concern for an organization seeking Information Security (InfoSec) services is the protection of their sensitive data and digital assets. They are deeply concerned about potential cyber threats and vulnerabilities that could compromise the confidentiality, integrity and availability of their information systems. These concerns often stem from the increasing frequency and sophistications of cyberattacks, as well as the potential legal and reputational consequences of data breaches.
Organizations may also worry about compliance and industry regulations and data protection laws, as failing to meet these requirements can result in severe penalties and damage to their reputation. Moreover, organizations frequently express worries regarding the expenses associated with Information Security services and their ability to seamlessly integrate these services into their current IT infrastructure without causing disruptions. The aim of an organization is to find a harmonious equilibrium between security and operational effectiveness while adhering to budget limitations.
A Virtual CISO can effectively address primary concerns for organizations seeking information security services by providing expert guidance and support without the need for a full-time in-house CISO. They assist in identifying and mitigating security risks, ensuring cost-effectiveness, seamless integration into existing IT infrastructure and finding the right balance between security and operational efficiency, all while staying within budget constraints.
Distributed denial of service (DDoS) events occur when a threat actor sends traffic floods from multiple sources to disrupt the availability of a targeted application. DDoS simulation testing uses a controlled DDoS event to allow the owner of an application to assess the applicationâs resilience and practice event response. DDoS simulation testing is permitted on Amazon Web Services (AWS), subject to Testing policy terms and conditions. In this blog post, we help you understand when itâs appropriate to perform a DDoS simulation test on an application running on AWS, and what options you have for running the test.
DDoS protection at AWS
Security is the top priority at AWS. AWS services include basic DDoS protection as a standard feature to help protect customers from the most common and frequently occurring infrastructure (layer 3 and 4) DDoS events, such as SYN/UDP floods, reflection attacks, and others. While this protection is designed to protect the availability of AWS infrastructure, your application might require more nuanced protections that consider your traffic patterns and integrate with your internal reporting and incident response processes. If you need more nuanced protection, then you should consider subscribing to AWS Shield Advanced in addition to the native resiliency offered by the AWS services you use.
AWS Shield Advanced is a managed service that helps you protect your application against external threats, like DDoS events, volumetric bots, and vulnerability exploitation attempts. When you subscribe to Shield Advanced and add protection to your resources, Shield Advanced provides expanded DDoS event protection for those resources. With advanced protections enabled on your resources, you get tailored detection based on the traffic patterns of your application, assistance with protecting against Layer 7 DDoS events, access to 24Ă7 specialized support from the Shield Response Team (SRT), access to centralized management of security policies through AWS Firewall Manager, and cost protections to help safeguard against scaling charges resulting from DDoS-related usage spikes. You can also configure AWS WAF (a web application firewall) to integrate with Shield Advanced to create custom layer 7 firewall rules and enable automatic application layer DDoS mitigation.
Acceptable DDoS simulation use cases on AWS
AWS is constantly learning and innovating by delivering new DDoS protection capabilities, which are explained in the DDoS Best Practices whitepaper. This whitepaper provides an overview of DDoS events and the choices that you can make when building on AWS to help you architect your application to absorb or mitigate volumetric events. If your application is architected according to our best practices, then a DDoS simulation test might not be necessary, because these architectures have been through rigorous internal AWS testing and verified as best practices for customers to use.
Using DDoS simulations to explore the limits of AWS infrastructure isnât a good use case for these tests. Similarly, validating if AWS is effectively protecting its side of the shared responsibility model isnât a good test motive. Further, using AWS resources as a source to simulate a DDoS attack on other AWS resources isnât encouraged. Load tests are performed to gain reliable information on application performance under stress and these are different from DDoS tests. For more information, see the Amazon Elastic Compute Cloud (Amazon EC2) testing policy and penetration testing. Application owners, who have a security compliance requirement from a regulator or who want to test the effectiveness of their DDoS mitigation strategies, typically run DDoS simulation tests.
DDoS simulation tests at AWS
AWS offers two options for running DDoS simulation tests. They are:
A simulated DDoS attack in production traffic with an authorized pre-approved AWS Partner.
A synthetic simulated DDoS attack with the SRT, also referred to as a firedrill.
The motivation for DDoS testing varies from application to application and these engagements donât offer the same value to all customers. Establishing clear motives for the test can help you choose the right option. If you want to test your incident response strategy, we recommend scheduling a firedrill with our SRT. If you want to test the Shield Advanced features or test application resiliency, we recommend that you work with an AWS approved partner.
DDoS simulation testing with an AWS Partner
AWS DDoS test partners are authorized to conduct DDoS simulation tests on customersâ behalf without prior approval from AWS. Customers can currently contact the following partners to set up these paid engagements:
Before contacting the partners, customers must agree to the terms and conditions for DDoS simulation tests. The application must be well-architected prior to DDoS simulation testing as described in AWS DDoS Best Practices whitepaper. AWS DDoS test partners that want to perform DDoS simulation tests that donât comply with the technical restrictions set forth in our public DDoS testing policy, or other DDoS test vendors that arenât approved, can request approval to perform DDoS simulation tests by submitting the DDoS Simulation Testing form at least 14 days before the proposed test date. For questions, please send an email to aws-ddos-testing@amazon.com.
After choosing a test partner, customers go through various phases of testing. Typically, the first phase involves a discovery discussion, where the customer defines clear goals, assembles technical details, and defines the test schedule with the partner. In the next phase, partners run multiple simulations based on agreed attack vectors, duration, diversity of the attack vectors, and other factors. These tests are usually carried out by slowly ramping up traffic levels from low levels to desired high levels with an ability for an emergency stop. The final stage involves reporting, discussing observed gaps, identifying actionable tasks, and driving those tasks to completion.
These engagements are typically long-term, paid contracts that are planned over months and carried out over weeks, with results analyzed over time. These tests and reports are beneficial to customers who need to evaluate detection and mitigation capabilities on a large scale. If youâre an application owner and want to evaluate the DDoS resiliency of your application, practice event response with real traffic, or have a DDoS compliance or regulation requirement, we recommend this type of engagement. These tests arenât recommended if you want to learn the volumetric breaking points of the AWS network or understand when AWS starts to throttle requests. AWS services are designed to scale, and when certain dynamic volume thresholds are exceeded, AWS detection systems will be invoked to block traffic. Lastly, itâs critical to distinguish between these tests and stress tests, in which meaningful packets are sent to the application to assess its behavior.
DDoS firedrill testing with the Shield Response Team
Shield Advanced service offers additional assistance through the SRT, this team can also help with testing incident response workflows. Customers can contact the SRT and request firedrill testing. Firedrill testing is a type of synthetic test that doesnât generate real volumetric traffic but does post a shield event to the requesting customerâs account.
These tests are available for customers who are already on-boarded to Shield Advanced and want to test their Amazon CloudWatch alarms by invoking a DDoSDetected metric, or test their proactive engagement setup or their custom incident response strategy. Because this event isnât based on real traffic, the customer wonât see traffic generated on their account or see logs that drive helpful reports.
These tests are intended to generate associated Shield Advanced metrics and post a DDoS event for a customer resource. For example, SRT can post a 14 Gbps UDP mock attack on a protected resource for about 15 minutes and customers can test their response capability during such an event.
Note: Not all attack vectors and AWS resource types are supported for a firedrill. Shield Advanced onboarded customers can contact AWS Support teams to request assistance with running a firedrill or understand more about them.
Conclusion
DDoS simulations and incident response testing on AWS through the SRT or an AWS Partner are useful in improving application security controls, identifying Shield Advanced misconfigurations, optimizing existing detection systems, and improving incident readiness. The goal of these engagements is to help you build a DDoS resilient architecture to protect your applicationâs availability. However, these engagements donât offer the same value to all customers. Most customers can obtain similar benefits by following AWS Best Practices for DDoS Resiliency. AWS recommends architecting your application according to DDoS best practices and fine tuning AWS Shield Advanced out-of-the-box offerings to your application needs to improve security posture.
Threat actors were using Windows Arbitrary File Deletion to perform Denial-of-service attacks on systems affected by this vulnerability. However, recent reports indicate that this Windows Arbitrary file deletion can be used for a full compromise.
The possibility of this attack depends on the CVE-2023-27470 arbitrary file deletion vulnerability combining it with a Time-of-Check to Time-of-Use (TOCTOU) race condition, which enables the deletion of files on a Windows system and subsequently creates an elevated Command Prompt.
CVE-2023-27470 & TOCTOU â Technical Analysis
CVE-2023-27470 affects N-Ableâs Take Control Agent, which can lead to an arbitrary file deletion vulnerability. This vulnerability analysis was done using Microsoftâs Process Monitor, often called ProcMon.
This vulnerability exists due to insecure file operations conducted by NT AUTHORITY\SYSTEM processes that were detected with the help of ProcMon filters.
The process that was analyzed during this vulnerability was BASupSrvcUpdater.exe, belonging to Take Control Agent 7.0.41.1141.
Race Condition
BASupSrvcUpdater.exe attempts every 30 seconds to a non-existent folder under the C:\ProgramData\GetSupportService_N-Central\PushUpdates as an NT AUTHORITY\SYSTEM process. For further research, this PushUpdates folder and a dummy file aaa.txt were created.
BASupSrvcUpdater.exe made an attempt to read the contents of the folder and performed a deletion, which was logged in the C:\ProgramData\GetSupportService_N-Central\Logs\BASupSrvcUpdater_[DATE].log log file.
This particular action gives rise to a race condition, as a threat actor can exploit this condition by utilizing the timeframe between the deletion and logging.
To exploit this condition and perform a full system compromise, an attacker must replace a file in the PushUpdates folder with a pseudo-symlink.
A complete report about this attack has been published, which provides detailed information about the exploitation, techniques, process, and method of complete system compromise.
To prevent this attack, it is recommended for organizations using N-able to upgrade to version 7.0.43 to fix this vulnerability.
Software as a Service (SaaS) security refers to the measures and practices employed to protect SaaS solutionsâ data, applications, and infrastructure.
SaaS is a cloud computing model where software applications are hosted and delivered over the internet, rather than installed and run on individual devices or servers.
While SaaS offers numerous benefits, such as scalability and accessibility, it also introduces security challenges that organizations must address to safeguard their data and maintain compliance with regulatory requirements.
The software under this architecture is hosted centrally, with the service provider responsible for everything from database management to network administration to availability checks and infrastructure maintenance.
Data is often kept on centralized servers spread across numerous data centers and accessed by users via a web interface.
SaaS typically employs multi-tenancy, a deployment model in which a single software instance serves numerous customers whose data and settings are isolated.
Virtualization, load balancing, and backup storage are all part of this architectureâs strategy for delivering scalable, dependable, and readily available software solutions on demand.
Following the SaaS security checklist helps you understand the blind spots and focus on securing your SaaS apps and data.
Why is SaaS Security important?
Software as a service (SaaS) applications frequently deal with sensitive data, ranging from personal information to confidential corporate details, making SaaS security essential.
Due to their internet-based nature, these apps are vulnerable to data theft and denial-of-service attacks.
Data loss, financial consequences, legal issues, and reputational harm are all possible outcomes of a hacked SaaS service.
In addition, due to the shared nature of SaaSâs basic infrastructure, a single vulnerability might affect several users.
Moreover, while convenient, attackers may easily exploit SaaS due to its reliance on centralized data storage. Robust security for SaaS protects users and inspires confidence in the digital economy overall.
Itâs also a legal need for many businesses. Therefore, SaaS providers must place a premium on security to preserve credibility, safeguard customers, and guarantee the smooth running of operations.
To Protect Your SaaS Apps and data, Download the free Enterprise SaaS Security Technical Guide here.
Challenges and Risks for Security in SaaS
SaaSâs cloud-based, sharing nature (Software as a Service) raises security concerns and hazards.Â
SaaS security checklist â Challenges and Risks
Data breach risk is significant since SaaS services are easily breached due to centralized storage.
The multi-tenancy framework might cause data leakage if clients are not adequately segregated.
Data breaches might occur due to insufficient access restrictions, and when using third-party infrastructure, you have to put your faith in their safety precautions.
SaaS Insecure Application Programming Interfaces APIs, which might open them to cyberattacks if they are not properly secured.
Due to an increasing number of off-site data storage, often in separate countries, ensuring continued regulatory compliance is a challenging task.
Cybercriminals Using PowerShell to Steal NTLMv2 Hashes from Compromised Windows
A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium.
The activity has been codenamed Steal-It by Zscaler ThreatLabz.
“In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang’s Start-CaptureServer PowerShell script, executing various system commands, and exfiltrating the retrieved data via Mockbin APIs,” security researchers Niraj Shivtarkar and Avinash Kumar said.
Nishang is a framework and collection of PowerShell scripts and payloads for offensive security, penetration testing, and red teaming.
The attacks leverage as many as five different infection chains, although they all leverage phishing emails containing ZIP archives as the starting point to infiltrate specific targets using geofencing techniques –
NTLMv2 hash stealing infection chain, which employs a custom version of the aforementioned Start-CaptureServer PowerShell script to harvest NTLMv2 hashes
System info stealing infection chain, which OnlyFans lures to target Australian users into downloading a CMD file that pilfers system information
Fansly whoami infection chain, which uses explicit images of Ukrainian and Russian Fansly models to entice Polish users into downloading a CMD file that exfiltrates the results of the whoami command
Windows update infection chain, which targets Belgium users with fake Windows update scripts designed to run commands like tasklist and systeminfo
It’s worth noting that the last attack sequence was highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in May 2023 as part of an APT28 campaign directed against government institutions in the country.
This raises the possibility that the Steal-It campaign could also be the work of the Russian state-sponsored threat actor.
“The threat actors’ custom PowerShell scripts and strategic use of LNK files within ZIP archives highlights their technical expertise,” the researchers said. “The persistence maintained by moving files from the Downloads to Startup folder and renaming them underscores the threat actors’ dedication to prolonged access.”
Notepad++ v8.5.7 has been released, which has several bug fixes and new features. There has also been Integrity and authenticity validation, added Security enhancement and fixed a memory leak while reading Utf8-16 files.
Multiple vulnerabilities in Notepad++ relating to Heap buffer read overflow, Heap buffer write overflow & Global buffer read overflow were previously reported. However, the new version of Notepad++ claims to have patched these vulnerabilities.
Gitlab security researcher Jaroslav LobaÄevski (@JarLob) discovered these vulnerabilities during the end of August 2023. However, as part of the GitLab coordinated disclosure policy, these vulnerabilities were publicly disclosed before Notepad++ patched them.
Notepad++ v8.5.7
This current new version of Notepad++ implemented the integrity and authenticity validation by introducing the GPG Notepad++ Public key which can be used for the verification of GPG Signature. In addition to that, SHA-256 digests of binary packages have also been added which can be used for checking the integrity of your Notepad++ download.
Other fixes include Document disassociated issue, Dragging tab performance issue, Session file saving problem, product version value displayed in fileâs properties and activating wrong file(s) were also rectified as part of this new release.
Furthermore, Notepad++ has added an option to suppress file with more than 2GB. This option enables Notepad++ to wait for user confirmation before opening a large file.
âNotepad++ will completely hang and await user confirmation when trying to open a file bigger than 2GB.â reads the issue on GitHub. Notepad++ has also released their current version of source code which can be found in this link.
It is recommended for users of Notepad++ to upgrade to version 8.5.7 in order to fix the vulnerabilities and improve the applicationâs performance.
IS27002 Control:-Vulnerability Management Why penetration test is important for an organization. Ensuring the protection of user data in real-time, effectively prioritizing risk, fostering security awareness, devising strategies to identify vulnerabilities, and implementing an incident response protocol aligned with vulnerability management. Following compliance protocols becomes crucial in order to abide by and fulfil regulatory standards. #informationsecurity #cyberdefense #cybersecurity Cheat sheet for pentester Image credit:-https://lnkd.in/eb2HRA3n
A newly identified advanced persistent threat (APT) group is using sophisticated cyberespionage techniques and custom malware to target government and technology sector organizations in at least six countries, including the United States.
Trend Micro said it discovered the group, which it calls Earth Estries, earlier this year, although they have been active since at least 2020.
In a Wednesday post, Trend Micro researchers describe Earth Estries as a sophisticated hacker group that is currently running an active campaign in the Philippines, Taiwan, Malaysia, South Africa and Germany, as well as the U.S.
âFrom a general overview of the tools and techniques used in this ongoing campaign, we believe the threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyberespionage and illicit activities,â the researchers wrote.
Trend Micro did not attribute the group to a particular country but said it found some overlaps between the tactics, techniques and procedures (TTPs) used by Earth Estries and those used by another APT group, FamousSparrow.
âMoreover, the code similarities and TTPs between Earth Estries and FamousSparrow suggests a possible connection between them,â the researchers said.
Further evidence, including tracked IP addresses and common technical formatting themes also suggested there were âstrong tiesâ between the two groups.
In a 2021 research report, ESET linked FamousSparrow to two other APT groups, SparklingGoblin and DRBControl, both of which have been connected to Chinese threat actors.
Focused on evading detection
Trend Micro said after compromising internal servers, Earth Estries used valid accounts with administrative privileges to covertly move laterally across its victimsâ networks.
âTo leave as little footprint as possible, they use PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interfaceâs (AMSI) logging mechanism. In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data.â
The researchers said Earth Estries deployed a range of tools to carry out its campaign, including commonly used remote control tools such as Cobalt Strike and PlugX, but also novel backdoors and information stealers.
Included in its toolkit was Zingdoor, a Go HTTP backdoor with cross-platform capabilities which was first developed in June 2022 and has only been deployed on limited occasions.
The group also used TrillClient, a custom browser data stealer, also written in Go, which connected to a GitHub repository to retrieve commands, and HemiGate, a backdoor with keylogging capabilities.
âLike most of the tools used by this threat actor, this backdoor is also executed via DLL sideloading using one of the loaders that support interchangeable payloads. We observed that Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal,â the researchers said.
âWe also noted that the threat actors regularly cleaned their existing backdoor after finishing each round of operation and redeployed a new piece of malware when they started another round. We believe that they do this to reduce the risk of exposure and detection.â
The NIST Gap Assessment Tool will cost-effectively assess your organization against the NIST SP 800-171 standard. It will help you to:
Understand the NIST SP 800-171 requirements for storing, processing, and transmitting CUI (Controlled Unclassified Information)
Quickly identify your NIST SP 800-171 compliance gaps
Plan and prioritise your NIST SP 800-171 project to ensure data handling meets U.S. DoD (Department of Defense) requirements
Get started with your NIST SP 800-171 compliance project
The DoD requires U.S. contractors and their subcontractors to have an available assessment of their compliance with NIST SP 800-171. As part of a national movement to have a consistent approach to cybersecurity across the U.S., even organizations that store, process, or transmit unclassified and/or sensitive information must complete an assessment.
ITG NIST Gap Assessment Tool provides the assessment template you need to guide you through compliance with the DoDâs requirements for NIST SP 800-171. The tool lays out all 14 categories and 110 security controls from the Standard, in Excel format, so you can complete a full and easy-to-use assessment with concise data reporting.
What does the tool do?
Features the following tabs: âInstructionsâ, âSummaryâ, and âAssessment and SSP (System Security Plan)â.
The âInstructionsâ tab provides an easy explanation of how to use the tool and assess your compliance project, so you can complete the process without hassle.
The âAssessment and SSPâ tab shows all control numbers and requires you to complete your assessment of each control.
Once you have completed the full assessment, the âSummaryâ tab provides high-level graphs for each category and overall completion. Analysis includes an overall compliance score and shows the amount of security controls that are completed, ongoing, or not applied in your organization.
The âSummaryâ tab also provides clear direction for areas of development and how you should plan and prioritize your project effectively, so you can start the journey of providing a completed NIST SP 800-171 assessment to the DoD.
This NIST Gap Assessment Tool is designed for conducting a comprehensive compliance assessment. NIST SP 800-171 Assessment Tool.
MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to develop a new open source tool that simulates cyber-attacks on operational technology (OT). The product was published recently.
The MITRE Calder for OT is now accessible to the general public as an addition to the open-source Caldera platform that may be found on GitHub. This would make it possible for cybersecurity specialists who deal with industrial control systems (ICS) to carry out automated adversary simulation exercises. These exercises will have the goal of testing and improving their cyber defenses on a constant basis. In addition to this, this includes security inspections as well as exercises involving red, blue, and purple teams.
This Caldera extension for OT was created via a collaborative effort between CISA and the Homeland Security Systems Engineering and Development Institute (HSSEDI). HSSEDI is a research and development institution that is financed by the federal government and is maintained and run by MITRE on behalf of the Department of Homeland Security (DHS).
The program contributes to the goal of the federal government to strengthen the security of vital infrastructure that is dependent on OT. Some examples of such infrastructure are water and electricity. This objective was elaborated upon in the United Statesâ National Cybersecurity Strategy, which was published in March 2023, and in the Executive Order on Improving the Nationâs Cybersecurity, which was issued by President Biden in May 2021. Work done by CISA and HSSEDI to automate opponent emulation simulations in CISAâs Control Environment Laboratory Resource (CELR) served as the foundation for the OT extension, which was developed upon that work. This made it possible to identify hostile strategies that may be implemented in Caldera.
The defensive mechanisms and testing capabilities of critical infrastructure systems are slated to get a boost from the use of these plugins.
These plugins, which are stored in the âcaldera-otâ repository, are essential instruments for the protection of operational technology (OT) settings.
They are made available as Git submodules, which enables researchers and experts in the security industry to quickly and readily access them.
The purpose of these plugins is to facilitate enemy simulation inside the OT environment. This was the driving force behind their development.
Because of this, companies are given the ability to strengthen their security defenses and better prepare for possible attacks.
In addition to this, it is compatible with classic use cases for Caldera, such as rigorous testing of security mechanisms and operator training.
The move that has been taken by MITRE marks a major step forward in the continuing endeavor to secure critical infrastructure systems and to strengthen security within the OT sector.
A presentation titled âEmulating Adversary Actions in the Operational Environment with Caldera (TM) for OTâ has also been made available by MITRE for individuals who are looking for further information of a more in-depth kind.
Users may apply the following command in order to install the whole collection of Caldera for OT plugins:
Individuals also have the option of configuring certain plugins on their own, which allows them to personalize their approach to OT security to meet their unique requirements.
At the moment, the following three important plugins are available:
BACnet Catering to Building Automation and Control Networks (BACnet) protocol.
DNP Addressing the Distributed Network Protocol 3 (DNP3).
Modbus Supporting the Modbus protocol.
Open-Source OT Protocol Libraries That Are Unified And Exposed To Users. Caldera for OT plugins is a service provided by MITRE that aims to standardize and expose open-source OT protocol libraries, making them available for use as protocol-specific plugins. Each plugin comes with its own extensive documentation.
Analysis of chatter in criminal underground message exchanges, however, reveals that the pieces exist for multi-layered, widespread attacks in the coming years. And given that the automotive industryâs customary development cycles are long, waiting for the more sophisticated cyberattacks on connected cars to appear is not a practical option.
What should the worldâs automotive OEMs and suppliers do now to prepare for the inevitable transition from todayâs manual, car-modding hacks to tomorrowâs user impersonation, account thefts and other possible attacks?
How connectivity is changing car crime
As our vehicles become more connected to the outside world, the attack surface available to cybercriminals is rapidly increasing, and new âsmartâ features on the current generation of vehicles worldwide open the door for new threats.
Our new âsmartphones on wheelsââalways connected to the internet, utilizing many apps and services, collecting tremendous amounts of data from multiple sensors, receiving over-the-air software updates, etc.âstand to be attacked in similar ways to how our computers and handheld devices already are today.
Automotive companies need to think now about those potential future threats. A car that an OEM is planning today will likely reach the market in three to five years. It will need to be already secured against the cyberthreat landscape that might be in existence by then. If the car hits the market without the required cybersecurity capabilities, the job of securing it will become significantly more difficult.
The likelihood of substantially more frequent, devious, and harmful attacks is portended by the complex attacks on connected cars that we have seen devised by industry researchers. Fortunately, the attacks to this point largely have been limited to these theoretical exercises in the automotive industry. Car modding â e.g., unlocking a vehicleâs features or manipulating mileage â is as far as real-world implementation has gotten.
Connectivity limits some of the typical options that are available to criminals specializing in car crime. The trackability of contemporary vehicles makes reselling stolen cars significantly more challenging, and even if a criminal can manage to take a vehicle offline, the associated loss of features renders the car less valuable to potential buyers.
Still, as connectivity across and beyond vehicles grows more pervasive and complicated, so will the threat. How are attacks on tomorrowâs connected cars likely to evolve?
Emerging fronts for next-generation attacks
Because the online features of connected cars are managed via user accounts, attackers may seek access to those accounts to attain control over the vehicle. Takeover of these car-user accounts looms as the emerging front for attack for would-be car cybercriminals and even criminal organizations, creating ripe possibilities for user impersonation and the buying and selling of the accounts.
Stealing online accounts and selling them to rogue collaborators who can act on that knowledge tee up a range of future possible attacks for tomorrowâs automotive cybercriminals:
Selling car user accounts
Impersonating users via phishing, keyloggers or other malware
Remote unlocking, starting and controlling connected cars
Opening cars and looting for valuables or committing other one-off crimes
Stealing cars and selling for parts
Locating cars to pinpoint ownersâ residential addresses and to identify when owners are not home
The crime triangle takes shape
Connected car cybercrime is still in its infancy, but criminal organizations in some nations are beginning to recognize the opportunity to exploit vehicle connectivity. Surveying todayâs underground message forums quickly reveals that the pieces could quickly fall into place for more sophisticated automotive cyberattacks in the years ahead. Discussions on underground crime forums around data that could be leaked and needed/available software tools to enable attacks are already intensifying.
A post from a publicly searchable auto-modders forum about a vehicleâs multi-displacement system (MDS) for adjusting engine performance, is symbolic of the current activity and possibilities.
Another, in which a user on a criminal underground forum offers a data dump from car manufacturer, points to the possible threats that likely are coming to the industry.
Though they still seem to be limited to accessing regular stolen data, compromises and network accesses are for sale in the underground. The crime triangle (as defined by crime analysts) for sophisticated automotive cyberattacks is solidifying:
Target â The connected cars that serious criminals will seek to exploit in the years ahead are becoming more and more prevalent in the global marketplace.
Desire â Criminal organizations will find ample market incentive to monetize stolen car accounts.
Opportunity â Hackers are steeped in inventive methods to hijack peopleâs accounts via phishing, infostealing, keylogging, etc.
Penetrating and exploiting connected cars
The ways for seizing access to the data of users of connected cars are numerous: introducing malicious in-vehicle infotainment (IVI) apps, exploiting unsecure IVI apps and network connections, taking advantage of unsecure browsers to steal private data, and more.
Also, thereâs a risk of exploitation of personally identifiable information (PII) and vehicle telemetric data (on a carâs condition, for example) stored in smart cockpits, to inform extremely personalized and convincing phishing emails.
Hereâs one method by which it could happen:
An attacker identifies vulnerabilities that can be exploited in a browser.
The attacker creates a professional, attractive webpage to offer hard-to-resist promotions to unsuspecting users (fast-food coupons, discounts on vehicle maintenance for the userâs specific model and year, insider stock information, etc.)
The user is lured into visiting the malicious webpage, which bypasses the browserâs security mechanisms
The attacker installs backdoors in the vehicle IVI system, without the userâs knowledge or permission, to obtain various forms of sensitive data (driving history, conversations recorded by manufacturer-installed microphones, videos recorded by built-in cameras, contact lists, text messages, etc.)
The possible crimes enabled by such a process are wide ranging. By creating a fraudulent scheme to steal the userâs identity, for example, the attacker would be able to open accounts on the userâs behalf or even trick an OEM service team into approving verification requestsâat which point the attacker could remotely open the vehicleâs doors and allow a collaborator to steal the car.
Furthermore, the attackers could use the backdoors that they installed to infiltrate the vehicleâs central gateway via the IVI system by sending malicious messages to electronic control units (ECUs). A driver could not only lose control of the carâs IVI system and its geolocation and audio and video data, but also the ability to control speed, steering and other safety-critical functions of the vehicle, as well as the range of vital data stored in its digital clusters.
Positioning today for tomorrowâs threat landscape
Until now there might have been reluctance among OEMs to invest in averting cyberattacks, which havenât yet materialized in the real world. But a 2023 Gartner Research report, âAutomotive Insight: Vehicle Cybersecurity Ecosystem Creates Partnership Opportunities,â is among the industry research documenting a shift in priorities.
Driven by factors such as the significant risk of brand and financial damage from cyberattacks via updatable vehicle functions controlled by software, as well as emerging international regulatory pressures such as the United Nations (UN) regulation 155 (R155) and ISO/SAE 21434, OEMs have begun to emphasize cybersecurity.
And today, they are actively evaluating and, in some cases, even implementing a few powerful capabilities:
Security for IVI privacy and identity
Detection of IVI app vulnerabilities
Monitoring of IVI app performance
Protection of car companion apps
Detection of malicious URLs
24/7 surveillance of personal data
Investing in cybersecurity in the design stage, versus after breaches, will ultimately prove less expensive and more effective in terms of avoiding or mitigating serious crimes involving money, vehicle and identity theft from compromised personal data by the worldâs most savvy and ambitious business criminals.
Resecurity has identified a large-scale smishing campaign, tracked as Smishing Triad, targeting the US Citizens.
Earlier episodes have revealed victims from the U.K., Poland, Sweden, Italy, Indonesia, Japan and other countries â the group was impersonating the Royal Mail, New Zealand Postal Service (NZPOST), Correos (Spain), Postnord, Poste Italiane and the Italian Revenue Service (Agenzia delle Entrate). Similar scams have been observed before targeting Fedex and UPS.
The bad actors attributed to Chinese-speaking cybercriminals are leveraging a package tracking text scam sent via iMessage to collect personal (PII) and payment information from the victims with the goal of identity theft and credit card fraud. The cybercriminal group with the associated campaign has been named âSmishing Triadâ as it leverages smishing as the main attack vector and originates from China.
Smishing is a form of phishing that involves a text message or phone number. Victims will typically receive a deceptive text message that is intended to lure the recipient into providing their personal or financial information. These scammers often attempt to disguise themselves as a government agency, bank, or other organization to lend legitimacy to their claims, for example, a postal service like the United States Postal Service (USPS), asking to pay additional delivery fees via credit card. Once the victim shares payment information, the bad actors use it for fraudulent purposes and unauthorized charges.
Expecting the spike of this activity during summer time, USPS has timely warned about the growing risk of package tracking text scams sent via SMS/iMessage. The spike of this activity has been observed during August with big number of domain names registered by attackers.
The notable detail of âSmishing Triadâ campaign is that bad actors used solely iMessage sent from compromised Apple iCloud accounts as the main delivery method of malicious messages to victims instead of traditional SMS or calls how it was done in other scam campaigns like âPostalFuriousâ and âRedZeiâ observed by other researchers in the past.
âSmishing Triadâ also attacks online-shopping platforms and injects malicious code to intercept customer data. Around July 19, 2023 â there was identified a campaign conducted by the same actors targeting popular online-shopping platforms with malicious scenarios containing payment form impersonating Sumitomo Mitsui Banking Corporation (SMBC). Around same time, there were also identified customized forms impersonating New Zealand Transport Agency and the Agenzia delle Entrate (the Italian Revenue Agency), that enforces the financial code of Italy and collects taxes and revenue.
The bad actors also distribute an engine of fake online-shop (TrickyCart) allowing them to defraud consumers with a pseudo 3D Secure Payment form impersonating popular payment systems and e-commerce platforms including Visa, Mastercard and PayPal.
âSmishing Triadâ has own Telegram channel with over 2,725 members on it and several private groups. The actors are weaponizing other cybercriminals by selling them customized âsmishing kitsâ targeting popular U.S., U.K. and EU brands â starting at $200 per month provided on subscription with further support. Resecurity has identified a group of domain names used by âSmishing Triadâ registered in â.topâ zone via NameSilo and protected by Cloudflare around August 2023. Notably, some of the domain names are still functioning as well as the identified Telegram group managed by the actors.
After acquisition of the âsmishing kitâ, Resecurity was able to identify a vulnerability acting as a hidden backdoor in the code allowing actors to silently extract collected personal and payment data from their clients. According to researchers, such scenarios are widely used by cybercriminals in password stealers and phishing kits allowing them to profit from efforts of their clients or at least to monitor their activity. Resecurity was able to recover over 108,044 records with victimsâ compromised data in order to alert them about identity theft. The collected information has been shared with relevant law enforcement agencies and the United States Postal Inspection Service.
Resecurity highlighted that it may be complicated to disrupt such cybercriminal activity committed by foreign actors located in jurisdictions like China without proper law enforcement and industry collaboration. Therefor, Resecurity is sharing the information about the âSmishing Triadâ with the wider community and network defenders to raise awareness and safeguard their customers.
Further technical details are available in the report published by ReSecurity.
The OWASP Foundation’s Top Ten lists have consistently aided defenders in directing their attention towards particular technologies, and the OWASP API (Application Programming Interface) Security Top 10 2023 is no different. Originally formulated five years ago and recently revised, its goal is to tackle evolving attack techniques.
However, the OWASP API Security Project leaders had their work cut out when deciding how to group and prioritize the threats. The list is put together based upon industry input and must reflect compliance concerns, so it was never going to completely satisfy all people. The question is, does it go far enough to be of value to those in the thick of it when it comes to API development and defense?
What has changed and what has stayed the same?
By comparing the old and the new list, we can see that the top two threats â API1 Broken Object Level Authorization (BOLA) and API2 Broken User Authentication â have remained unchanged. API1 denotes the manipulation of the identification of an object that is sent within a request to the API while API2 marks the abuse of authentication mechanisms through attacks such as credential stuffing, including forgotten/rest password functions. They provide the quickest wins for attackers, and itâs easy to see why these continue to the top the list.
API3 replaced Excessive Data Exposure with Broken Object Property Level Authorization. Does this mean we have solved the problem of sensitive data exposure? Alas, no, it continues to be a huge problem. What this change signifies is the next stage an attacker would take when exploiting sensitive data exposure, i.e., break through the property level authorization. So why has the Project decided to make the change? Probably for the sake of clarity, because sensitive data exposure is an issue that spans the rest of the list. But some, including myself, would argue that this isnât the right way to present the issue, because it declasses what is a very serious issue.
Similarly, API6 was Mass Assignment in 2019 and is now Unrestricted Access to Sensitive Business Flows. Are they different? Not really. Both are talking about taking advantage of objects and their properties within the application flow, with the examples listed on the project page referring to a ride share app where functionality is exploited in the backend. There is, however, something subtle about the naming that makes the 2023 version seem like something that needs to be fixed, rather than being nebulous and confusing, so in that respect it is an improvement.
Bring bots into the mix
API6 also plays to how an API that isnât functioning properly can swiftly end up with attack automation being utilized against it in the form of bot attacks. This is important because thereâs always been an artificial distinction made between API and bot attacks, with the security sector offering different solutions for each when the reality is that automated attacks can and are launched against APIs. So, it no longer makes sense to monitor for API attacks and bot attacks separately: bot mitigation has to become part of API security. This is apparent in our recent report, which revealed that automated attacks dwarfed other TTPs in the analysis of traffic during the last quarter of 2022.
Overall, the new list largely redefines many of the previous tactics, techniques and procedures (TTPs) in a bid to be more inclusive. API4, for instance, has moved from Lack of Resources and Rate Limiting to become Unrestricted Resource Consumption, reflecting the fact that rate limiting extends beyond the issue of network capacity. Other resources that can be abused if limits are not set include CPU, memory and storage, for example, but just as importantly, service providers can find service resources maxed out by API requests. They may provide emails, texts or phone calls and a repeat API request can see that service provider rack up huge service costs.
However, there are some changes in the order and new concepts in there towards the end. API7 Security Misconfiguration drops a place to API8 as there has been progress made in this area.
API7 is now Server Side Request Forgery (SSRF). APIs are a prime target for SSRF attacks because they routinely channel outbound traffic from an application. Developers often access external resources, such as web hooks, file fetching from URLs or custom SSO and URL previews â states the Project â or cloud or container providers expose management and control channels to compromise via HTTP. And the old API8, Injection attacks? Thatâs no longer a separately categorized threat again because itâs typically adopted in many of the other attack types.
Significant changes
API9 sees another subtle but important change in the wording: from Improper Assets Management to Improper Inventory Management. This reflects the heightened number of shadow APIs that are out there which once deployed are no longer monitored and effectively fall off the security teamâs radar. Unmanaged, unknown and unprotected, these APIs are then sitting ducks for attackers who now actively search for them. In fact, we found that 45 billion search attempts were made for shadow APIs during the second half of 2022, compared to five billion during the first six months. A runtime API inventory that continuously monitors production APIs is therefore vital to ensure all APIs that go live are protected yet itâs one of the key failings in organisations today.
Finally, API10 has changed from Insufficient Logging and Monitoring, now largely covered by API9, to Unsafe Consumption of APIs. This reflects the extension weâve seen of the API software chain, with APIs now often being integrated with other APIs. The problem that has arisen is that developers tend to inherently trust interactions with these external APIs, particularly from well-known companies, even though they may be flawed and/or be leaking data.
Clearly a great deal of thought has gone into adjusting the OWASP API Top Ten to more accurately address the TTPs that attackers are now using. The result sees both minor and some major changes to the list all of which are justified. Indeed, itâs not the descriptors but the list itself that is problematic. Itâs an arbitrary concept thatâs designed to attract attention to and heighten the profile of API security but does it do anything to further how we defend against these attacks?
How it holds up under an attack scenario
If we use breach analysis, we can compare a typical breach to the categories in the list to see how the concept stacks up. Many breaches start out with an API that the victim organization was unaware they had ( API9 in the 2023 list). This API is then found to return some kind of data about a user that isnât the attacker (API1). Now the attacker is going to create attack automation using a bot to try to exploit this as quickly and as completely as possible (API6), completing the attack chain and giving the attacker access to data hidden in the victim organizationâs systems.
Itâs evident that such an attack would cross at least three of the attack categories so prioritizing them becomes immaterial. Indeed, such trinity attacks are gaining ground, with 100 million detected during the first half of 2022.
Whatâs more, as well as seeing attackers pivot during an attack and utilize known TTPs, we are also seeing them come up with unique TTPs to attempt to subvert the API. These grew more than fivefold between June and November (from 2,000 to 11,000). Most of those attacks were geared towards achieving account takeover (ATO), scraping to perform reconnaissance or to exfiltrate data, and hunting for business logic flaws within the API to commit fraud.
Keeping up with such diverse attacks requires the security team to focus not just on its defense but methods of detection and mitigation. Whether it is knowing where APIs are, testing them for flaws or stopping bots attacking unknown flows, API security needs to become more comprehensive, tracking and protecting the API throughout its entire lifecycle.
A sound summary of TTPs
The new OWASP API Top 10 may not be perfect, but it does cover the bases and provides a great starting point from which to address the topic. It now recognizes that some attack methods such as sensitive data and exposure and injection attacks span multiple TTPs and so do not require a separate category. It also amplifies the need for bot mitigation as part of API security, and the complex nature of API ecosystems that are seeing them integrated with one another, for instance.
But its structure is not conducive to showing how these attacks are being used in the wild. It still compartmentalizes these attacks when threat actors are becoming much more versatile and combining them.
Realistically, the only way of keeping pace with this rapidly evolving threat landscape is to monitor and manage those APIs. Creating a runtime inventory, conducting API threat surface assessments, carrying out specification anomaly detection and putting in place real-time automated bot detection and mitigation are all now essential to protect the API footprint of the business.
